SEED Labs – Firewall Exploration Lab Report

SEED Labs – Firewall Exploration Lab Report 1

Overview 1
Environment Setup Using Containers 1
ask 1: Implementing a Simple Firewall 5
Task 1.A: Implement a Simple Kernel Module 5
Task 1.B: Implement a Simple Firewall Using Netfilter 9
Task 2: Experimenting with Stateless Firewall Rules 20
Task 2.A: Protecting the Router 20
Task 2.B: Protecting the Internal Network 20
Task 2.C: Protecting Internal Servers 21
Task 3: Connection Tracking and Stateful Firewall 21
Task 3.A: Experiment with Connection Tracking 21
Task 3.B: Setting Up a Stateful Firewall 22
Task 4: Limiting Network Traffic 22
Task 5: Load Balancing 22
Conclusion 23
Overview

In this lab, I explored how firewalls work and learned how to set up a simple firewall for a
network using both a custom stateless packet-filtering firewall and iptables in Linux. I used a
provided SEED Ubuntu 20.04 VM and Docker containers to simulate a network environment for
this lab.

Environment Setup Using Containers

First, I set up the lab environment using Docker containers. The network topology included
multiple machines as depicted in Figure 1 of the lab manual. Here are the steps I followed:

Downloaded the Labsetup.zip file:

Set up the lab environment using Docker Compose:

dcbuild # Alias for: docker-compose build

dcup # Alias for: docker-compose up

Checked running containers:

dockps
ask 1: Implementing a Simple Firewall

Task 1.A: Implement a Simple Kernel Module

I started by compiling and running a simple Loadable Kernel Module (LKM). The module prints
"Hello World!" when loaded and "Bye-bye World!" when removed.

Created hello.c with the following content:

c

#include <linux/module.h>
#include <linux/kernel.h>

int initialization(void) {
printk(KERN_INFO "Hello World!\n");
 return 0;
}

void cleanup(void) {
printk(KERN_INFO "Bye-bye World!.\n");
}

module_init(initialization);
module_exit(cleanup);
Created Makefile:
makefile

obj-m += hello.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Compiled the kernel module:
Make
Loaded and removed the module:
sudo insmod hello.ko
lsmod | grep hello
sudo rmmod hello
dmesg
sudo dmesg # For Ubuntu 22.04

The output from dmesg confirmed that the module was loaded and unloaded successfully.
Task 1.B: Implement a Simple Firewall Using Netfilter

I implemented a packet filtering module using Netfilter and LKM.

1. Created seedFilter.c with hook functions for filtering packets.

2. Compiled the module using the provided Makefile.

Loaded the module:

sudo insmod seedFilter.ko

Verified the firewall by sending UDP packets to 8.8.8.8:

dig @8.8.8.8 www.example.com

Task 2: Experimenting with Stateless Firewall Rules

I used iptables to set up firewall rules on the router container.

Task 2.A: Protecting the Router

I set rules to prevent outside access to the router except for ping.

Added the following iptables rules:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P OUTPUT DROP # Set default rule for OUTPUT
iptables -P INPUT DROP # Set default rule for INPUT
Tested access from another container:

ping 10.9.0.1
telnet 10.9.0.1
Cleaned up the iptables rules:

iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

Task 2.B: Protecting the Internal Network

I set up rules on the router to protect the internal network.

Added rules to enforce the following restrictions:

iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP

1.
2. Verified by pinging from external and internal hosts.
Task 2.C: Protecting Internal Servers

I set up rules to control access to internal servers.

Added rules to allow telnet access to a specific internal host and block others:

iptables -A FORWARD -i eth0 -p tcp --dport 23 -j ACCEPT

iptables -A FORWARD -i eth1 -p tcp --dport 23 -d 192.168.60.5 -j
ACCEPT
Cleaned up the iptables rules:
iptables -F
Task 3: Connection Tracking and Stateful Firewall

I experimented with connection tracking to understand stateful firewalls.

Task 3.A: Experiment with Connection Tracking

Checked connection tracking information on the router:

conntrack -L
Conducted experiments with ICMP, UDP, and TCP:

# ICMP
ping 192.168.60.5

# UDP
nc -lu 9090
nc -u 192.168.60.5 9090

# TCP
nc -l 9090
nc 192.168.60.5 9090

Task 3.B: Setting Up a Stateful Firewall

I set up firewall rules using connection tracking.

Added stateful firewall rules:

iptables -A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED,RELATED

-j ACCEPT
iptables -A FORWARD -p tcp --dport 8080 --syn -m conntrack --ctstate
NEW -j ACCEPT
iptables -P FORWARD DROP
Rewrote Task 2.C rules using connection tracking.
Task 4: Limiting Network Traffic

I used the limit module of iptables to limit network traffic.

Added rate limiting rules:

iptables -A FORWARD -s 10.9.0.5 -m limit --limit 10/minute

--limit-burst 5 -j ACCEPT
iptables -A FORWARD -s 10.9.0.5 -j DROP
Tested with and without the second rule.

Task 5: Load Balancing

I used iptables to implement load balancing for UDP servers.

Started UDP servers on internal hosts:

nc -luk 8080
Set up load balancing rules using nth mode:

iptables -t nat -A PREROUTING -p udp --dport 8080 -m statistic --mode

nth --every 3 --packet 0 -j DNAT --to-destination 192.168.60.5:8080
Added additional rules for equal load distribution.

Used random mode for load balancing:

iptables -t nat -A PREROUTING -p udp --dport 8080 -m statistic --mode

random --probability 0.33 -j DNAT --to-destination 192.168.60.5:8080
Conclusion

Through this lab, I gained practical experience in setting up and managing firewalls using both
custom LKMs and iptables. I explored various aspects of firewall functionality, including
stateless and stateful filtering, rate limiting, and load balancing. The detailed steps and
observations documented in this report demonstrate the successful implementation and
understanding of firewall mechanisms in a networked environment.